topic Re: Search based on response from another search query in Splunk Search

Search based on response from another search query

stagare — Fri, 14 Jun 2024 22:27:57 GMT

First Splunk query gives me a value in a table. The value is a jobId. I want to use this jobId in another search query like a second one. Can we join them in Splunk way?

index=myindex cs2k_transaction_id_in_error="CHG063339403031900 major_code="ERROR" | rex field=_raw "Job Id: (?<jobId>.*?)\." | table jobId

index=myindex "TTY" "jobId"

Re: Search based on response from another search query

P_vandereerden — Fri, 14 Jun 2024 21:45:47 GMT

Have you tried a subsearch?

index=myindex "TTY" [ search index=myindex cs2k_transaction_id_in_error="CHG063339403031900 major_code="ERROR" | rex field=_raw "Job Id: (?<jobId>.*?)\." | table jobId ]

Re: Search based on response from another search query

stagare — Fri, 14 Jun 2024 22:16:40 GMT

Thanks for the reply, yes, I have tried that already. It does not work. The response (jobId) is in a table so that wont allow this subsearch.

Re: Search based on response from another search query

P_vandereerden — Fri, 14 Jun 2024 23:04:46 GMT

Ah.
I suspect this is more about the rex expression than the table.

You could try a join:

index=myindex TTY | rex field=_raw "Job Id: (?<jobId>.*?)\." | join left=L right=R where L.jobId=R.jobId [search index=myindex cs2k_transaction_id_in_error="CHG063339403031900" major_code="ERROR" | rex field=_raw "Job Id: (?<jobId>.*?)\." | table jobId ]

Re: Search based on response from another search query

stagare — Sun, 16 Jun 2024 14:21:17 GMT

Hi Paul, this join looks to be working. Thank you very much..